Don’t outsource your DPO! Or should you?
25 April 2023
This article considers the implications of making an internal appointment of a Data Protection Officer without considering the full implications of the role and the responsibilities on the organization to meet the standard of “Accountability” in UK GDPR.
There is always someone in the office who can take be persuaded to take on a new “hat”. “Money laundering officer”, “Fire Marshall” and “Health & Safety Officer” are common examples. This usually happens when the implications of non-compliance are deemed low risk and the appointment will probably work adequately until there is a real problem.
New appointees are likely to attend a couple of courses, possibly subscribe to online updates or at least read a bit about the topic and their responsibilities. Whether that is sufficient to discharge the organisation’s responsibility is only a matter for concern when there is a real problem.
So, what would a real problem look like in terms of data protection compliance? The Information Commissioner’s Office (“ICO”) will send a formal letter requesting answers to charges laid on behalf of a disgruntled data subject. This could be a customer, service user, colleague or website visitor.
There are some key points here:
- How quickly can a response be made to the ICO bearing in mind the evidentiary requirements? Every statement made in the response will need to be backed up with proof. The questions on the investigation form are standard and require evidence of good practice such as:
- evidence of staff training: A schedule showing frequency of training and the content of training material;
- evidence of compliant work processes such as policies and procedures relating to services provided, complaints handling, and the administration and security of personal data in the organisation.
- How much responsibility will fall to the organisation the designated Data Protection Officer has not fulfilled the role to meet statutory requirements?
- Was there an earlier stage in the complaint when steps could have been taken to prevent the issue arising at all?
Speed of response
Speed of response to the ICO will depend on how much informed and experienced resource can be thrown at the problem. Expertise may have to be bought in, at short notice, at high cost. The lack of evidence of regular staff training or compliance policies and procedures can’t be remedied retrospectively but the ICO will expect an indication of what steps the organization will take to prevent a recurrence of the issue in future and appropriate training, policies and procedures will be required as part of that. So more time and money will be committed to remedy omissions.
Responsibility for breaches and complaints
Responsibility to make a proper appointment of the DPO is the responsibility of the organisation to select a candidate who has appropriate experience of compliance, knowledge about data protection and is sufficiently senior to be heard at the highest level of management in the business.
Responsibility to adequately resource and support the DPO is ongoing. The DPO should have a budget for data protection training for themselves and to fund legal advice when needed. They should not have any conflict between their day to day role and the DPO role and should not be pressured by colleagues to act or decide to act in a particular way. It is unlikely that the ICO would criticize a DPO except if in flagrant breach of their obligations. The ICO will look to the organisation to take responsibility for non compliance.
Being able to make a timely response to the ICO with evidence of compliance as outlined above is part of the organisation’s defence to a complaint in practice. Lack of evidence is indicative of systemic compliance failures on the part of the organisation. Put simply, systemic compliance failures lead to fines.
Avoiding breaches and complaints
If they have not discovered this by now, organisations should review their data protection compliance before starting to trade, before a new project goes live and regularly thereafter. Compliance requirements are relatively straightforward particularly if addressed in good time without the pressure of trying to retrofit compliance controls.
A good compliance framework not only reduces the risk of a data breach or other complaint, but will provide a defence should one occur. The worst case scenario of being found guilty of systemic compliance failures can be avoided in this way.
How we can help
We offer support to businesses of all types and sizes. We can provide interim short or long term DPO services. Give us a call or complete our website contact form, we’d be happy to help.
We can also support your Data Protection Officer with legal advice and guidance on best practice and we have a package of mini audit forms to use when checking compliance and to evidence the results.
Mandy P Webster